Hi Eric, Right now, I believe OSSEC is only able to correlate multiple failed logins > if they all happen to show up on only 1 of the log files
That is not correct. The rules are based on the content of a log, not in the source. Pay attention to the following rules: <rule id="5700" level="0" noalert="1"> <decoded_as>sshd</decoded_as> <description>SSHD messages grouped.</description> </rule> <rule id="5710" level="5"> <if_sid>5700</if_sid> *<match>illegal user|invalid user</match>* <description>sshd: Attempt to login using a non-existent user </description> <group> invalid_login,authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_10.6.1, </group> </rule> It is looking for the strings: "illegal user" or "invalid user" in a ssh log. When is a ssh log? If it is decoded as ssh: <decoder name="sshd"> <program_name>^sshd</program_name> </decoder> ... Usually, there are no checks for the source of an event. I hope it helps. Regards. On Tuesday, June 27, 2017 at 5:47:05 PM UTC+2, Eric wrote: > > I'm using OSSEC in a slightly untraditional way as a sudo SIEM. I have it > running on 1 server and it's parsing through logs that are coming from > multiple sources and then alerting me on what is going on. Overall this has > worked fine but now I'm needing to spread out the load and the logs are > being written to multiple files. Is there a way to tell OSSEC to treat 5 > separate log files as the same source? > > The use case I have is file1.log, file2.log, file3.log, file4.log, and > file5.log are all load balanced across a F5 VIP. So if you have fave > multiple failed logins from user1 on server1, those failed logins could > show up in any 5 of the log files. Right now, I believe OSSEC is only able > to correlate multiple failed logins if they all happen to show up on only 1 > of the log files. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.